Indictment: Sysadmin passed over for promotion quits, then strikes back

The idea of the disgruntled sysadmin turning techno-Robin Hood and giving his or her employer a taste of their own medicine is almost universally popular on tech-centric sites and message boards. However, things almost never work out positively for the people who turn revenge-fantasy into reality. The latest sysadmin to strike back, Smithtown, NY-based Michael Meneses, is facing federal charges for allegedly causing over $90,000 in damage to his employer, the Spellman High Voltage Electronics Corporation.

According to the New York Times and several other sources (including ComputerWorld), Meneses' primary task at Spellman was managing the company's enterprise resources management application. As anyone who's been in IT for any length of time knows, ERP applications are almost always cranky and expensive beasts that require employees dedicated to their care and feeding. Meneses' specialty looks to have been with Fujitu's Glovia ERP application (indeed, on a LinkedIn page that appears to belong to Meneses, he describes himself as an "ERP Guru").

Meneses was one of two employees responsible for the ERP management and customization, and multiple sources describe Meneses as being angry in late 2011 for being passed over for promotion. So angry, in fact, that he allegedly tendered his two-weeks notice in response. His role as ERP administrator gave him privileged access to at least some of the company's IT systems, and though it's impossible to say exactly what happened, the Times' piece reports that before his access was removed, coworkers witnessed Meneses copying files off of his company computer onto a flash drive.

After his employment was terminated, the FBI claims Meneses embarked on a three-week revenge campaign against the company, causing "over $90,000" in damage to Spellman's business. The actual descriptions of what Meneses is supposed to have done and the methods allegedly used are annoyingly vague across all the available sources, with all agreeing that he "hacked into the company's network." According to the reports, Meneses then deployed "a program that captured user log-in names and passwords" of his former coworkers. The FBI's press release also says that he used stolen user credentials to access Spellman's network via a VPN connection, where he then "corrupt[ed] the network," whatever that means.

However, more than just stealing credentials and "corrupting the network," the FBI says that Meneses also inflicted substantial damage on the company's operations. Once in possession of several employees' credentials, he is alleged to have altered the company's business calendar by a full month, causing problems across all aspects of the business, including finance and production. He also is alleged to have sent at least one e-mail to a prospective new employee seeking to fill his old job, telling the candidate, "Don't accept any position" with the company.

Federal investigators, responding to the company's complaints, examined the changes to the business calendar and noted that they were made by an account logged in via VPN, which they "traced" to a hotel in North Carolina, near Meneses' new job. The hotel's guest register showed that Meneses was staying there when the calendar hack occurred, and he was taken into federal custody shortly after.

Now back in New York, Meneses last Thursday officially denied the allegations of "hacking" and was released on a $50,000 bond. If the case goes to trial and Meneses is convicted, he will face up to ten years in prison and a $250,000 fine.

Listing image by Twentieth Century Fox

Lee Hutchinson
Lee is the Senior Technology Editor at Ars and oversees gadget, automotive, IT, and culture content. He also knows stuff about enterprise storage, security, and manned space flight. Lee is based in Houston, TX. Emaillee.hutchinson@arstechnica.com//Twitter@Lee_Ars

Yeesh, what a way to get the hammer brought down on you. You don't mess with a company's ERP. There are things you can do that will get a company annoyed and get a slap on the wrist, but risking their ERP is not one of them. That practically guarantees the hammer will be brought down with its full force. Your messing with company lifeblood there.

Plus, ERP systems by their very nature are transactional. Anything he did should be easily tracked through the system. It's a whole other level system understanding to remove even the transactions without that leaving its own tracks.

The actual descriptions of what Meneses did and the methods used are annoyingly vague across all the available sources, with all agreeing that he "hacked into the company's network." According to the reports, Meneses then deployed "a program that captured user log-in names and passwords" of his former coworkers. The FBI's press release also says that he used stolen user credentials to access Spellman's network via a VPN connection, where he then "corrupt[ed] the network," whatever that means.

I wonder if some of these charges are going to get dismissed for vagueness. The calendar thing and the passwords (if true) are enough to convict, for sure. But there's no way he could be tried for "corrupting the network" unless it actually means something.

If the case goes to trial and Meneses is convicted, he will face up to ten years in prison and a $250,000 fine.

No sympathy from me. Fingers crossed.

Not from me, either.

I love reading the exploits of the BOFH, but that is pure fantasy, or is supposed to be. It's good for humour and blowing of steam ONLY - anyone who actually thinks they can pull off any of the BOFH's adventures is unstable at best.

I have often wondered if we system admins are an unusually angry lot, or of it just appears that way because they use sysadmin forums to vent frustration. Either way, after some of the advice I have seen doled out on Reddit and such I am somewhat surprised this does not happen more often.

I'd like to know which VPN he was using that allowed him to be "traced" so easily.

What VPN would you use that WOULDN'T let your incoming IP be logged? The answer is one that a business wouldn't(since, you know, you have to use their VPN to connect)obviously he should have used some proxies(which he should know as a sysadmin)anyway he obviously wasn't smart enough to set up "time bombs" in the network like and real pro would do.Set the time bomb to go off after a year or so to screw user accounts, screw up sqlserver backups, or just take down the network in various other ways.

The real answer is this answers WHY he was passed up for promotion....

"Federal investigators, responding to the company's complaints, examined the changes to the business calendar and noted that they were made by an account logged in via VPN, which they "traced" to a hotel in North Carolina, near Meneses' new job"

The actual descriptions of what Meneses did and the methods used are annoyingly vague across all the available sources, with all agreeing that he "hacked into the company's network." According to the reports, Meneses then deployed "a program that captured user log-in names and passwords" of his former coworkers. The FBI's press release also says that he used stolen user credentials to access Spellman's network via a VPN connection, where he then "corrupt[ed] the network," whatever that means.

I wonder if some of these charges are going to get dismissed for vagueness. The calendar thing and the passwords (if true) are enough to convict, for sure. But there's no way he could be tried for "corrupting the network" unless it actually means something.

And the fact that he stayed at the hotel/motel where the IP address was traced seems circumstantial at best. That's not proof that he did anything.

The actual descriptions of what Meneses did and the methods used are annoyingly vague across all the available sources, with all agreeing that he "hacked into the company's network." According to the reports, Meneses then deployed "a program that captured user log-in names and passwords" of his former coworkers. The FBI's press release also says that he used stolen user credentials to access Spellman's network via a VPN connection, where he then "corrupt[ed] the network," whatever that means.

I wonder if some of these charges are going to get dismissed for vagueness. The calendar thing and the passwords (if true) are enough to convict, for sure. But there's no way he could be tried for "corrupting the network" unless it actually means something.

And the fact that he stayed at the hotel/motel where the IP address was traced seems circumstantial at best. That's not proof that he did anything.

Ex-employee happened to be checked into a hotel room from which an originating IP came from into their networkWhile that is circumstantial, that is easily more than enough to convict honestly. Especially considering everything else.

It blows my mind that this guy could work in tech, call himself an "ERP Guru" and apparently not have the slightest clue how to obscure his location for his dastardly deeds. Or that he thought he had any chance at all of getting away with this no matter what measures he took. He might as well have walked into the office of the employee who (correctly) passed over him for promotion and pooped on their desk. Equally poor chance of success, and $90,000 cheaper for them :\

If the case goes to trial and Meneses is convicted, he will face up to ten years in prison and a $250,000 fine.

250K for 90K of alleged damages? Seems a bit harsh. And a lot of people do far worse things and get less than 10 years prison time. But I guess it depends on what kinds of prison: white-collar resort prison, with conjugal visits, or... the other kind.

The actual descriptions of what Meneses is supposed to have done and the methods allegedly used are annoyingly vague across all the available sources, with all agreeing that he "hacked into the company's network."

This feels a little reminiscent of a Facebook user complaining of being "hacked" when a friend posts a status update while said user is logged in.

I'm trying to imagine what it would be like to gather information to prosecute a case like this. I work at a place with a large IT department and a real intranet, but even still, we're hard pressed to find which computer has a file locked open or find the root cause of excessive network traffic. To get to the "reasonable doubt" level, especially with somebody saying "the company is out to get me and will pressure employees to find dirt on me", must be really tough.

Either or I have no sympathy for the guy. If he was unfairly passed over then quitting was the correct solution. If he was illegally passed over (discrimination or whatnot) then a lawsuit would have been the correct answer. Throwing a tantrum and "damaging a system" is not the correct answer unless it's Skynet.

Not only has he made himself unemployable, but he is about enter this new found unemployabilty with an incredible amount of debt. I hope he doesn't have any dependent's expecting him to put food on the table. :-\

And this is why I always tell any employer that the first thing you do is shut off their network access in any form, and as an employee, I want the same done.

In some scenario where the guy who didn't quit fucked things up and then blamed it on the guy who left (which happens), you want to be sure you know that they can't blame you if you leave.

Of course, I don't try to access systems of former employers, except their website for their mailing address or something like that. Guy had a new job already; best revenge is a life well lived. Put your finger up at your former employer and do great work for great rewards at your new employer.

Either or I have no sympathy for the guy. If he was unfairly passed over then quitting was the correct solution. If he was illegally passed over (discrimination or whatnot) then a lawsuit would have been the correct answer. Throwing a tantrum and "damaging a system" is not the correct answer unless it's Skynet.

What they did to that little girl is nothing short of horrendous. She tries to a do a science experiment, it pops, puffs smoke, no one is hurt, nothing is damaged, and they expel her and charge her with a felony. I boils my blood thinking about it.http://www.usatoday.com/story/news/nati ... t/2130381/

I'd like to know which VPN he was using that allowed him to be "traced" so easily.

What VPN would you use that WOULDN'T let your incoming IP be logged? The answer is one that a business wouldn't(since, you know, you have to use their VPN to connect)obviously he should have used some proxies(which he should know as a sysadmin)anyway he obviously wasn't smart enough to set up "time bombs" in the network like and real pro would do.Set the time bomb to go off after a year or so to screw user accounts, screw up sqlserver backups, or just take down the network in various other ways.

The real answer is this answers WHY he was passed up for promotion....

Because he couldn't get away with it? What a funny world you all live in.